Workshop: How an IAM RFP Can Help You Choose the Best Solution for Your Business Earl Perkins Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner's research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner's Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see "Guiding Principles on Independence and Objectivity."
Complexity, Time to Deliver Disaster Awaits Your RFP Efforts Unless You Plan Ahead Consequences (in complexity and time to deliver when you plan exclusively "backward") Planning direction frequently used Principles Practices Policies Processes People Products Production Proper planning direction
Identity and Access Management Defined IAM provides a practical, structured, and coherent approach to the management of users' identities and their access to systems and data in line with business needs. Identity and Access Management IAM ensures that right people get access to the right resources at the right times for the right reasons, enabling the right business outcomes.
Cost-justifying IAM Enablement Effectiveness Efficiency
The IAM Technology Model Policy Governance Identities Governance and Administration Entitlements Identity Data Audit and Report Intelligence Analytics Workflow Engine (Processes) Identity Data and Log Model Entitlements Data Authentication Access Authorization Activity Data Brokerage via Target System Integration (Connectors) Target Systems
Taxonomy of IAM Technologies Administration Intelligence Authentication Authorization Identity administration Password management CM tools PKI AD/Unix bridge tools Microsoft resource access administration Identity governance & administration ERP SOD controls SIEM Web fraud detection Electronic signatures and transaction verification Authentication methods Authentication infrastructures Identity proofing services ESSO SSL VPN Federated authentication WAM Externalized authorization management Contentaware DLP EDRM Encryption Identityaware networking Privileged account management
IAM Project Type IAM Project Type and Complexity Business Strategic Limited Scope Single Sign-on Web Access Mgmt. User Authentication ESSO Federation PAM Identity Governance and Administration User Administration/ Provisioning Identity Analytics Externalized Authorization Mgmt. Tactical Password Mgmt. Directory Services IT $ Simple $ $ IAM Project Complexity $ $ $ Complex
Factors That Impact the Cost of IAM
Strategic Planning Assumption By 2016, alternative methods of IAM delivery will shift 50% of new enterprise IAM proposal requests from a product contract focus to a service one. Supporting the SPA: The pricing model for IAM as a service is growing more compelling as features improve. Maturing internal IT services tend to shift to external delivery as more complex challenges beckon for limited internal IT resources. More customers with limited internal IT capabilities are seeking IAM solutions. Hybrid IAM in-house and cloud-delivered solutions will abound. Alternate position to the SPA: Certain customers will never outsource IAM or address all IAM needs with IAM as a service. Cloud computing as a viable IAM service delivery method will continue to struggle. Privacy and security management concerns for cloud-delivered services will delay adoption. An installed base of in-house IAM solutions won't be soon replaced.
IAM Pricing Models Perpetual Subscription Market Growth IDaaS (Public Cloud) Enterprise Tiered, Named, User Based Per Active User, per Month Market Growth
An IAM RFP Do you seek to acquire IAM products, services, or both? Are you establishing an IAM program (with technology needs) or addressing a specific IAM requirement? Does this RFP address the planning, building, and/or operational portion of your requirement? Are you addressing requirements for your internal employees, external customers and partners, or both? Do you have an executive business sponsor, or is this an IT initiative?
The IAM Product RFP Process 1 2 3 4 5 Assessment Preparation Submission Response Selection 1 Gather requirements, manage scope, and assess gaps. 2 Prepare/Review RFP, weight criteria, validate the process. 3 Submit RFPs to participants and Q&A period. 4 Collect RFP responses, review, oral presentation, finalists. 5 Conduct POC, analyze finalists, select vendors.
What an IAM Product RFP Should Include Introduce Instruct Inform RFP (and IAM program) goals and executive summary Contents of the document What document specifies (and does not) Selection criteria RFP process and schedule Who to contact Format of response and time frame allowed Legal conditions and contractual concerns Service levels and KPIs (program and post-implementation) Company description, mission, IT mission and geography Current technical environment description Definitions and acronyms Priorities Functional specifications Technical specifications
What an IAM Product RFP Should Include (Contd.) Inquire (1) Respondent company's general information IAM market position, viability, qualifications, client references IAM product portfolio descriptions Third-party partners for delivery, if any Certifications (e.g., ISO 9000), diversity Inquire (2) Functional requirements specification responses Technical requirements specification responses System integration delivery, migration capabilities Implementation plan, schedule Training and education Test and acceptance Inquire (3) Pricing of product, maintenance and support Program pricing and expenses Payment schedule, milestones and penalties Description of services provided SLA and product guarantees
Criteria for Vendor Product Selection in IAM RFPs 1. Price (life cycle) 2. Functionality and technical fit 3. Adaptability 4. Support 5. Compatible with your strategy 6. Viability 7. Availability of alternate means of delivery 8. Support for a hybrid coexistence 9. Migration support 10. Transferable skills
Workshop Steps Selection of discussion "leaders" Break into teams Develop individual checklists for: 1. Key requirements 2. Participants in RFP (using RACI matrix) 3. Communications plan 4. Top three selection criteria (for your enterprise) 5. First steps 6. "Do's and don'ts"
Recommendations Develop an RFP process for yourself and the vendor as part of an overall IAM program. Use a "4-I" approach to RFP structure: Introduce, instruct, inform, and inquire. Select a use-case approach to the RFP that reflects your business approach to IAM. Apply criteria to selecting a vendor based on real differentiators beyond the technical features.
Action Plan for IAM Leaders Monday Morning: - Choose what kind of RFP for IAM is really needed. Next 90 Days: - Assess the current state of IAM in the enterprise from an organization, process, and technology perspective to have a starting point. - Use the assessment to develop an RFP process as part of an IAM program where practical. Next 12 Months: - Develop an RFP based on the principles outlined here. - Deliver to selected respondents. - Review responses, and choose a vendor.
Recommended Gartner Research Hype Cycle for Identity and Access Management Technologies, 2013 Gregg Kreizman (G00247866) ITScore for Identity and Access Management Ant Allan, Earl Perkins (G00249408) Toolkit: Gartner Authentication Method Evaluation Scorecards Ant Allan (G00255746) Magic Quadrant for Identity and Access Governance Earl Perkins (G00235195) For more information, stop by Gartner Research Zone.